Why Should I Use a VPN

This is odd. Once you've edited outbound NAT in pfSense, you won't have Internet connectivity (LAN to WAN) even when the OpenVPN client is disabled.

But I saw your screenshot, showing that outbound NAT had been edited!

Very strange!

 

yes im sure im not connected , matter of fact i completely disconnected openvpn and air in taskmanager once disconnected as well , in my host , and set my physical network adapter to 8.8.8.8., i have a static ip set as well and my firewall blocking globals are set to allow as long as i test this , so i have no idea honestly

and ive set ubuntus network adapter1 to NAT and the 2nd one to internal and pfsense , same with pfsense

heres the latest log from a couple secs ago, damn this one is a tough nut i tell ya, btw ill do the email thingy asap



Jan 18 01:50:13 openvpn[8023]: ssl_flags = 0
Jan 18 01:50:13 openvpn[8023]: port_share_host = '[UNDEF]'
Jan 18 01:50:13 openvpn[8023]: port_share_port = 0
Jan 18 01:50:13 openvpn[8023]: client = ENABLED
Jan 18 01:50:13 openvpn[8023]: pull = ENABLED
Jan 18 01:50:13 openvpn[8023]: auth_user_pass_file = '[UNDEF]'
Jan 18 01:50:13 openvpn[8023]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Jan 18 01:50:13 openvpn[8023]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jan 18 01:50:13 openvpn[8023]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 01:50:13 openvpn[8023]: LZO compression initialized
Jan 18 01:50:13 openvpn[8023]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jan 18 01:50:13 openvpn[8023]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jan 18 01:50:13 openvpn[8023]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 18 01:50:13 openvpn[8023]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Jan 18 01:50:13 openvpn[8023]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Jan 18 01:50:13 openvpn[8023]: Local Options hash (VER=V4): '22188c5b'
Jan 18 01:50:13 openvpn[8023]: Expected Remote Options hash (VER=V4): 'a8f55717'
Jan 18 01:50:13 openvpn[8193]: UDPv4 link local (bound): [AF_INET]10.0.2.15
Jan 18 01:50:13 openvpn[8193]: UDPv4 link remote: [AF_INET]94.185.85.170:443
Jan 18 01:50:13 openvpn[8193]: TLS: Initial packet from [AF_INET]94.185.85.170:443, sid=415accf7 7533607e
Jan 18 01:50:14 openvpn[8193]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org
Jan 18 01:50:14 openvpn[8193]: VERIFY OK: nsCertType=SERVER
Jan 18 01:50:14 openvpn[8193]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org
Jan 18 01:50:15 openvpn[8193]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 18 01:50:15 openvpn[8193]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 18 01:50:15 openvpn[8193]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 18 01:50:15 openvpn[8193]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 18 01:50:15 openvpn[8193]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jan 18 01:50:15 openvpn[8193]: [server] Peer Connection Initiated with [AF_INET]94.185.85.170:443
Jan 18 01:50:17 openvpn[8193]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan 18 01:50:17 openvpn[8193]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.6.38 10.4.6.37'
Jan 18 01:50:17 openvpn[8193]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 18 01:50:17 openvpn[8193]: OPTIONS IMPORT: LZO parms modified
Jan 18 01:50:17 openvpn[8193]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 18 01:50:17 openvpn[8193]: OPTIONS IMPORT: route options modified
Jan 18 01:50:17 openvpn[8193]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 18 01:50:17 openvpn[8193]: ROUTE default_gateway=10.0.2.2
Jan 18 01:50:17 openvpn[8193]: TUN/TAP device /dev/tun1 opened
Jan 18 01:50:17 openvpn[8193]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 18 01:50:17 openvpn[8193]: /sbin/ifconfig ovpnc1 10.4.6.38 10.4.6.37 mtu 1500 netmask 255.255.255.255 up
Jan 18 01:50:17 openvpn[8193]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.4.6.38 10.4.6.37 init
Jan 18 01:50:17 openvpn[8193]: /sbin/route add -net 94.185.85.170 10.0.2.2 255.255.255.255
Jan 18 01:50:17 openvpn[8193]: /sbin/route add -net 0.0.0.0 10.4.6.37 128.0.0.0
Jan 18 01:50:17 openvpn[8193]: /sbin/route add -net 128.0.0.0 10.4.6.37 128.0.0.0
Jan 18 01:50:17 openvpn[8193]: /sbin/route add -net 10.4.0.1 10.4.6.37 255.255.255.255
Jan 18 01:50:17 openvpn[8193]: Initialization Sequence Completed
Jan 18 01:52:24 openvpn[8193]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 18 01:52:24 openvpn[8193]: MANAGEMENT: CMD 'state 1'
Jan 18 01:52:24 openvpn[8193]: MANAGEMENT: CMD 'status 2'
Jan 18 01:52:24 openvpn[8193]: MANAGEMENT: Client disconnected

 

ok up to creating another new pfsense , lols

 

AHA!

The Ubuntu VM should have just one network interface, connected to the VPN internal network that's hosted by the pfSense VM.

The pfSense VM has two, one (WAN) NATed to the host machine, and the other (LAN) hosting the VPN internal network.

 

AHA go to hell , lols , ive just freakin redid the entire pfsense setup , hell im gettin good at this -.-

ill try this asap, anyhow another log just for fun cause thats how i am, and its a different server too


Jan 18 02:49:41 openvpn[14309]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 02:49:41 openvpn[14309]: LZO compression initialized
Jan 18 02:49:41 openvpn[14309]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jan 18 02:49:41 openvpn[14309]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jan 18 02:49:41 openvpn[14309]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 18 02:49:41 openvpn[14309]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Jan 18 02:49:41 openvpn[14309]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Jan 18 02:49:41 openvpn[14309]: Local Options hash (VER=V4): '22188c5b'
Jan 18 02:49:41 openvpn[14309]: Expected Remote Options hash (VER=V4): 'a8f55717'
Jan 18 02:49:41 openvpn[14368]: UDPv4 link local (bound): [AF_INET]10.0.2.15
Jan 18 02:49:41 openvpn[14368]: UDPv4 link remote: [AF_INET]178.248.30.131:443
Jan 18 02:49:41 openvpn[14368]: TLS: Initial packet from [AF_INET]178.248.30.131:443, sid=b1c4cd44 666d3e72
Jan 18 02:49:41 openvpn[14368]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org
Jan 18 02:49:41 openvpn[14368]: VERIFY OK: nsCertType=SERVER
Jan 18 02:49:41 openvpn[14368]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org
Jan 18 02:49:42 openvpn[14368]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 18 02:49:42 openvpn[14368]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 18 02:49:42 openvpn[14368]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 18 02:49:42 openvpn[14368]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 18 02:49:42 openvpn[14368]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jan 18 02:49:42 openvpn[14368]: [server] Peer Connection Initiated with [AF_INET]178.248.30.131:443
Jan 18 02:49:44 openvpn[14368]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan 18 02:49:44 openvpn[14368]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.3.150 10.4.3.149'
Jan 18 02:49:44 openvpn[14368]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 18 02:49:44 openvpn[14368]: OPTIONS IMPORT: LZO parms modified
Jan 18 02:49:44 openvpn[14368]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 18 02:49:44 openvpn[14368]: OPTIONS IMPORT: route options modified
Jan 18 02:49:44 openvpn[14368]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 18 02:49:44 openvpn[14368]: ROUTE default_gateway=10.0.2.2
Jan 18 02:49:44 openvpn[14368]: TUN/TAP device /dev/tun1 opened
Jan 18 02:49:44 openvpn[14368]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 18 02:49:44 openvpn[14368]: /sbin/ifconfig ovpnc1 10.4.3.150 10.4.3.149 mtu 1500 netmask 255.255.255.255 up
Jan 18 02:49:44 openvpn[14368]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.4.3.150 10.4.3.149 init
Jan 18 02:49:44 openvpn[14368]: /sbin/route add -net 178.248.30.131 10.0.2.2 255.255.255.255
Jan 18 02:49:44 openvpn[14368]: /sbin/route add -net 0.0.0.0 10.4.3.149 128.0.0.0
Jan 18 02:49:44 openvpn[14368]: /sbin/route add -net 128.0.0.0 10.4.3.149 128.0.0.0
Jan 18 02:49:44 openvpn[14368]: /sbin/route add -net 10.4.0.1 10.4.3.149 255.255.255.255
Jan 18 02:49:44 openvpn[14368]: Initialization Sequence Completed
Jan 18 02:49:52 openvpn[14368]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 18 02:49:52 openvpn[14368]: MANAGEMENT: CMD 'state 1'
Jan 18 02:49:52 openvpn[14368]: MANAGEMENT: CMD 'status 2'
Jan 18 02:49:52 openvpn[14368]: MANAGEMENT: Client disconnected
Jan 18 02:55:20 openvpn[14368]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 18 02:55:20 openvpn[14368]: MANAGEMENT: CMD 'state 1'
Jan 18 02:55:20 openvpn[14368]: MANAGEMENT: CMD 'status 2'
Jan 18 02:55:20 openvpn[14368]: MANAGEMENT: Client disconnected
Jan 18 02:57:22 openvpn[14368]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 18 02:57:22 openvpn[14368]: MANAGEMENT: CMD 'state 1'
Jan 18 02:57:22 openvpn[14368]: MANAGEMENT: CMD 'status 2'
Jan 18 02:57:22 openvpn[14368]: MANAGEMENT: Client disconnected

 

one nervous breakdown later....freakin flippin worked , O MY G O D , and with my firewall block rules enabled and airs dns set into my physical, ok now what do we do ,lols, i guess its up to starting incognito vm ey, dont forget what i was aiming for mirimir

 

That's very cool Congratulations!

Sure, import the Incognito VM, and connect its WAN adaptor to your AirVPN VM's VPN internal network. Connect your Ubuntu VM's adaptor to the Tor internal network from the Incognito VM. Then check your IP. It should be a Tor exit.

The next step is creating another pfSense VM, this time for Mullvad. It's WAN connects to the Tor internal network, and its LAN hosts another internal network ("Mullvad" or whatever). It has to use TCP, because Tor can't really handle UDP.

If you'll ever want to chain the two VPN VMs directly, rather than through Tor, they can't have the same LAN IP address. I typically change the "inner" one to 192.168.2.1/24.

Connect your Ubuntu VM's adaptor to the Mullvad internal network, and check your IP. It should be the Mullvad exit.

PS When there are two active network interfaces in Ubuntu, the connection manager can get very squirrelly, especially when they're flapping around. It changes all kinds of stuff, trying to get something connected and working.

 

so ok ive gotten as far as connecting incognito to pfsense vm that connects to air , aka ive set pfsense as network adapter1 internal pfsense , and enabled internal tor in network adapter2 , then ive set ubuntu vm to connect to tor instead of pfsense and before that made sure pfsense openvpn client was enabled over ubuntu beforehand , now i dont get internet access again -.- with this combo , and the next headache , lols

 

I don't think that's right. Do this:

pfSense VM using AirVPN
..........adaptor 1 : NATed to host machine
..........adaptor 2 : connected to internal network "AirVPN"

Incognito gateway VM using Tor
..........adaptor 1 : connected to internal network "AirVPN"
..........adaptor 2 : connected to internal network "Tor"

Ubuntu workstation VM
..........adaptor 1 : connected to internal network "Tor"

 

thats what i did , remember ive set up one pfsense currently not 2 i havent even gotten to my second pfsense aka mullvad,aka when i said pfsense vm adapter1 NAT , adapter2 internal pfsense , theres only one pfsense currently

incognito vm adapter1 connected to internal pfsense , adapter2 internal tor

ubuntu vm , adapter 1 internal tor

not connecting to website in ubuntu

 

You can test in a couple ways to see what's wrong.

But first, you may want to create a Ubuntu LiveCD VM for testing stuff. You can reboot between testing different points in your VM chains, to avoid possible cross contamination. But you'll need a regular Ubuntu ISO, not the alternate. Just create a VM like you did, except attach the ISO to the virtual CD drive as a LiveCD, and delete the VHD.

Anyway, start the pfSense and Incognito VMs, connected as above. Start your Ubuntu VM, connected to the pfSense internal network. Verify that you can see the Internet with the AirVPN exit IP.

Then connect the Ubuntu VM to the Incognito VM, and check whether you see the Internet with a Tor exit IP.

If that's not working, you could also test the Incognito VM using your host machine's AirVPN connection. In that case, change the Incognito VM's WAN adaptor from pfSense back to NATed to host.

 

Ah no worries Well drop me a line if you have any feedback on why you felt our service is lacking and stuff

Would be interested to know! Thanks!!

 

ill do that right now

 

ok , found out what it was , udp, apparently incognito tor dont like udp or somethin, since im able to easily switch between protocols with airs client software


so i guess its up to setting up the other pfsense now, one sec i think im not totaly good , sine ive tried it with my host machine , still gotta see if its the same for the vm airvpn pfsense


update:

nope not working with pfsense , weird, ive changed the required settings like from udp to tcp and updated the dns for tcp as well in the dashboard ,


Start your Ubuntu VM, connected to the pfSense internal network. Verify that you can see the Internet with the AirVPN exit IP.



that works , as already said

 

Well, it's good that it works. But I don't recall that Incognito won't work through UDP VPN. I'll look into that.

What does "updated the dns for tcp as well in the dashboard" mean? For UDP and TCP in the pfSense VPN client setup, the tunnel will use the same DNS server.

However, you might need to change the port for TCP. AirVPN uses port 443 for UDP. That's the normal TCP port. Do they also use port 443 for TCP?

While we're getting this UDP vs TCP thing sorted, you might as well create the pfSense VM for Mullvad.

 

yes they do use the same port , and yeah im gona setup the mullvad pfsense

what did i mean with set udp to tcp well , lemme further elaborate

i meant in the openvpn client tab theres the protocol option to select udp or tcp ive selected tcp since without, tcp wouldnt work of course, and incognito didnt work with udp


btw if you dont know , air uses different dns for different protocols and ports like udp port 53 would be 10.7.0.1 and the tcp equivalent would be 10.8.0.1, get it


update > im currently trying to setup my mullvad pfsense , problem at the certs creation , dont know how to do , ive sent you all the certs per mail check inbox, check em out and let me know what to change , its different from air ,

 

OK. Did you check that the AirVPN connection in pfSense works in TCP mode? Test with the Ubuntu VM (obviously) and look for errors in "Status: System Logs: OpenVPN".

Ah. No, I didn't know that. I only did a trial with AirVPN.

OK, I'll look at that. I know even less about Mullvad, BTW

 

ok ive tried to connect airvpn pfsense with ubuntu over tcp by setting tcp as connection protocol in openvpn client tab with the according dns ,as ive explained , dont work and dont show up in openvpn status either aka it shows status DOWN, but having my airvpn client in my host machine connected to tcp and using ubuntu with incognito worked, incognito dont work with udp over my airvpn client thou as said , all in all incognito not working with pfsense at all no matter what protocol tcp or udp

 

Strange. There are two server certificates -- "ca.crt" and "master.mullvad.net.crt" -- but they seem to be identical. But because the OpenVPN config calls "master.mullvad.net.crt", use that for pfSense "System: Certificate Authority Manager: CAs". The Client Certificate is "mullvad.crt" (with key "mullvad.key").

I'm not sure about encryption algorithm. If you have a working Mullvad connection, look in the log and see what's reported. If you don't want to connect except through Tor, you'll just need to try some, and see what works. Or maybe another Mullvad user can tell us that encryption algorithm it uses. I'd start with "AES-256-CBC (256-bit)", "BF-CBC (128-bit)" and "AES-128-CBC (128-bit)" in that order. Look for errors in the connection log.

As with AirVPN, enable "Compress tunnel packets using the LZO algorithm.

In the pfSense OpenVPN Advanced box, put this:

Code:

remote-cert-tls server;redirect-gateway def1;verb 5

Actually, I'm not sure how to handle "TLS Authentication". It might be better to enable TLS Authentication above (under "Cryptographic Settings") and check "Automatically generate a shared TLS authentication key". Try both, and look for errors in the connection log.

Last, using "openvpn.mullvad.net" might be a problem through Tor, even in TCP mode with port 443. If DNS lookup works, it'll be fine. But, if it doesn't, you'll need to specify one of the numeric IP addresses that it resolves to:

Code:

46.21.99.21
46.21.99.25
46.165.203.78
46.165.207.15
85.17.31.121
95.211.10.68
95.211.13.33
95.211.92.236
95.211.136.21

It's going to take some playing around, I'm afraid.

 

OK, look in the OpenVPN connection log, and see what error it tells you is preventing the connection from working.

That tells us that there's nothing fatal going on. At worst, we can get the pfSense AirVPN client working in TCP mode, and the Incognito Tor gateway should work through it.

That is odd. I'll check with other VPNs that I use, in TCP vs UPD mode. If necessary, I'll get a trial AirVPN account

As I've said, I think that it'll work once we get pfSense connecting to AirVPN in TCP mode.

 

remote-cert-tls server;redirect-gateway def1;verb 5



Actually, I'm not sure how to handle "TLS Authentication". It might be better to enable TLS Authentication above (under "Cryptographic Settings") and check "Automatically generate a shared TLS authentication key".



not sure if it was cause of the tls or the new command



ok that worked , now airvpn works with tcp over pfsense , now time to see if incognito works with it




update>


ok so , nope still not working with pfsense

 

I was talking about the Mullvad setup, there.

What did you change to get AirVPN connecting in TCP mode? What's the Advanced string that works? Did you also enable TLS Authentication under "Cryptographic Settings", and check "Automatically generate a shared TLS authentication key"?

Also, when you say "works", did you test Internet connectivity, as well as seeing that the VPN is up?

Bummer

Try using the last pre-Incognito Tor Gateway VM. Maybe he changed something. And I'll try Incognito with TCP and UDP VPNs.

 

ive enabled tls authentication and replaced the current string with in advanced with

remote-cert-tls server;redirect-gateway def1;verb 5 instead of

ns-cert-type server;explicit-exit-notify 5;redirect-gateway def1;verb 5


im currently working on air , since your still not sure about mullvad atm


update> nope just double checked , tls wasnt even checked was the code



mirimir when i say something works you can conclude i mean internet as well , everything else doesnt count


ok ill do that , ill go and try pre incognito

 

Try this for pfSense AirVPN Advanced in TCP mode:

ns-cert-type server;redirect-gateway def1;verb 5

We know that "ns-cert-type server;explicit-exit-notify 5;redirect-gateway def1;verb 5" works in UDP mode, but maybe TCP mode doesn't like "explicit-exit-notify 5".

Edit: Yes, TCP mode doesn't like it: "Options error: --explicit-exit-notify can only be used with --proto udp Use --help for more information.".

-http://serverfault.com/questions/457047/openvpn-doesnt-works-with-tcp

First test the connection using Firefox in the Ubuntu VM, and then try routing the Incognito VM through it.

I don't really have a way to get more sure about Mullvad, except by getting a trial account So I'd say just go for it, and see if you can beat it into shape

OK, don't enable TLS authentication (for AirVPN) and use the Advanced string that I recommended.

 

ok ive found out , guess what , udp freakin works!!!


and what was the prob , well incognito the crap 0.6 version, go to hell , went with tor gateway 5.3 , works a charm, i could freakin slap myself for that


so now comes mullvad and more


btw mullvad tosses everyone free test accounts for 3 hours just download theyre client sign up a test account by entering a number , and there you go for 3 hours unlimited bandwith, and after that it locks up, you can decide